W32/Sober.K@mm

• Subject: Variable
• Body:

  Variable

• Attachment: Variable

When the worm is executed, it will display a NOTEPAD window with a MIME-encoded text and an error message. In the background it now creates a number of files in the \MSAGENT\WIN32 directory; most notably three almost identical worm files: SMSS.EXE, WINLOGON.EXE and CSRSS.EXE. Note that these names are also used by legitimate system processes that can be found on any modern PC, which makes it difficult to shut them down using Task Manager. Registry keys will be created to start these from bootup.

File system changes:

In folder \MSAGENT\WIN32:

smss.exe
winlogon.exe
csrss.exe
datamx1.dat
datamx2.dat
datamx3.dat
goto1.dat
goto2.dat
goto3.dat
runnowso.ber
zipedso1.ber
zipedso2.ber
zipedso3.ber

The last 10 files are used for preliminary storage of harvested email addresses and MIME-encoded copies of the worm.

In folder :

read.me
nonrunso.ber
stopruns.zhz

The file read.me contains the following text:

Ist eine weitere Test-Version. Läuft nur ein paar Tage!

In diesem Sinne:
Odin alias Anon

Registry changes:

Creates key HKLM\Software\Microsoft\Windows\CurrentVersion\Run winsystem.sys = \MSAGENT\WIN32\SMSS.EXE
Creates key HKCU\Software\Microsoft\Windows\CurrentVersion\Run _winsystem.sys = \MSAGENT\WIN32\SMSS.EXE

Email generation:

The worm harvest email addresses from local sources and sends mail itself to these with itself as an attachment (inside a ZIP file). The mail subject and body is variable, based on lists in the worm. If the recipient address is in Germany, Austria, Liechtenstein or Switzerland, the email text will be in German, otherwise it will be in English. The file attachment is a zip file containing a copy of the worm. The last extension of the file in the zip archive is attempted hidden by inserting spaces in the file name.  Ex. : doc_data-text.txt.pif.